Position Independent Code

self sufficiency of combining program

Producing a listing file

• If you supply the -l option to NASM, followed (with the usual optional space) by a file name, NASM will generate a source-listing file for you, in which addresses and generated code are listed on the left, and the actual source code, with expansions of multi-line macros

• For example:

nasm -f elf asm0.s -l asm.lst

1 section .rodata 2 00000000 0500000006000000 data_strat: dd 5,6 3 00000008 6D795F66756E632072- fmt: db "my_func result is: %d", 10, 0 4 00000011 6573756C742069733A- 5 0000001A 202025640A00 6 %define num1 8 7 %define num2 7 8 9 section .text 10 global my_func 11 global main 12 extern printf 13 14 main: 15 00000000 55 push ebp 16 00000001 89E5 mov ebp, esp 17 18 00000003 6808000000 push dword num1 19 00000008 6807000000 push dword num2 20 0000000D E81B000000 call my_func 21 00000012 81C408000000 add esp, 8 22 23 00000018 50 push eax 24 00000019 68[08000000] push fmt 25 0000001E E8(00000000) call printf 26 00000023 81C408000000 add esp, 8 27 28 00000029 89EC mov esp, ebp 29 0000002B 5D pop ebp 30 0000002C C3 ret 31

Example of a listing file (main)

32 my_func: 33 0000002D 55 push ebp 34 0000002E 89E5 mov ebp, esp 35 36 00000030 8B4D08 mov ecx, [ebp+8] ; get n 37 00000033 B800000000 mov eax, 0 38 39 func_loop: 40 00000038 8B5D0C mov ebx, [ebp+12] ; get m 41 0000003B 01D8 add eax, ebx 42 0000003D 49 dec ecx 43 0000003E 7405 jz func_fin 44 00000040 E9F3FFFFFF jmp func_loop 45 46 func_fin: 47 00000045 89EC mov esp, ebp 48 00000047 5D pop ebp 49 00000048 C3 ret

Example of a listing file (my_func)

self sufficiency of combining program

If we have one program which is PIC we can add this program to any other program without fear that it might not work because the PIC program has every this it needs interiorly.

Position Independent Code

• No direct use of labels

• Only relative jumps.

• “call” is relative.

• No global variables (no data , rodata or bss).

• No library functions

• Only system calls.

No direct use of labels

Labels are solved by the assembler and linkerat compile time to an absolute number .

So if the code is moved the number wont becorrect any more.

Remember” label’s address don’t change at run-time though the code address may change.

No direct use of labels

1 section .data 2 00000000 48656C6C6F20776F72- hello: db 'Hello world!',10 3 00000009 6C64210A 4 helloLen: equ $ - hello 5 6 section .text 7 global _start 8 9 _start: 10 00000000 B9[00000000] mov ecx,hello 11 00000005 BA0D000000 mov edx,helloLen 12 13 0000000A B804000000 mov eax,4 14 0000000F BB01000000 mov ebx,1 15 16 00000014 CD80 int 80h 17 18 00000016 B801000000 mov eax,1 19 0000001B BB00000000 mov ebx,0 20 00000020 CD80 int 80h

Only relative jumps

We can use only relative jumps because the code we wish to jump to may change its position .

If all the code change its position relative jumps are still valid because the address difference is preserved.

“call” is relative

We can still use “call” instruction because it makes a relative jump to the procedure which means that the new IP (after “call”) will be the old IP (before “call”) plus a number (may be negative) with was the address difference of the two places calculated by the assembler.

No global variables

There are no global variables because we can’t assume that DATA, RODATA or BSS sections exists.

If they do exists we don’t know their address and we can’t allocate memory there.

We can use constant variables (mainly strings) as a part of our code.

No library functions

We don’t know if and where the library functions are .

Thus there are no “printf” “gets” “open” “strlen” and so on…

Only system calls

To perform I/O operation we have to use the Linux system calls because INT 0x80 isn’t a regular procedure it is called via the interrupt table which is static.

Finding your code address at run-time

get_my_loc:

call next_i

next_i:

pop edx

ret

Finding your code address at run-time

Since we can use the “call” instruction because it makes a relative jump we can call a function that we write in our code .

The call instruction push the current IP at run-time.

Thus if we know where “call” was, we now posses an anchor address at run-time.

Using strings – PIC examplesection .data

name: db "Moshe",10,0nameLen equ $ - name

global _startget_my_loc:

call next_inext_i: pop edx ret_start:

call get_my_loc sub edx, next_i - name

mov ecx,edxmov edx,nameLenmov eax,4

mov ebx,1int 80hmov eax,1int 80h

Using strings – PIC example 1 section .data 2 3 00000000 4D6F7368650A00 name db "Moshe",10,0 4 nameLen equ $ - name 5 6 global _start 7 get_my_loc: 8 00000007 E801000000 call next_i 9 0000000C C3 ret 10 next_i: 11 0000000D 5A pop edx 12 _start: 13 0000000F E8F3FFFFFF call get_my_loc 14 00000014 81EA0D000000 sub edx, next_i - name 15 0000001A 89D1 mov ecx,edx 16 0000001C BA07000000 mov edx,nameLen 17 00000021 B804000000 mov eax,4 18 00000026 BB01000000 mov ebx,1 19 0000002B CD80 int 80h 20 0000002D B801000000 mov eax,1 21 00000032 CD80 int 80h

Using strings – PIC example

Get_my_loc function gets the address of “next_i “ at run-time the address difference between “next_i” and “name” is constant even if the code will change it’s position .

So when we find the address of “next_i” using the listing file we can find the address of “name” at run time.

Jump tables

Jump table applications

• To implement a “switch” or a “case”.

• To select a function to be evoked.

How to implement a “switch” ora “case”.

• We will construct a array of the jump addresses .

• For each number will jump to the corresponding entry in the jump table

Main.c

extern void jumper(int);

int main (int argc , char* argv)

{

jumper (0);

jumper (1);

jumper (2);

return 0;

}

jump.ssection .datajt:

dd label_1dd label_2

str0: db "Got the number 0",10,0str1: db "Got the number 1",10,0str2: db "Out of bound",10,0str3: db "num = %d",10,0section .text

align 16global jumperextern printf

jumper:push ebpmov ebp,esppushamov ebx,dword [ebp+8]push ebxpush str3call printf ; Print numadd esp, 8cmp ebx,0 ; Check if num is in boundsjb out_ofcmp ebx ,1ja out_ofshl ebx,2 ; num = num * 4jmp dword [ebx+jt] ; Jump according to address in

table

label_1:push str0call printfadd esp, 4jmp end

label_2:push str1call printfadd esp, 4jmp end

out_of:push str2call printfadd esp, 4jmp end

end:popapop ebpret

Output

num = 0

Got the number 0

num = 1

Got the number 1

num = 2

Out of bound

jump_pic.ssection .datajt:

dd label_1 - next_i ; For PIC, this is an offsetdd label_2 - next_i

str0: db "Got the number 0",10,0str1: db "Got the number 1",10,0str2: db "Out of bound",10,0str3: db "num = %d",10,0section .text

align 16global jumperextern printf

get_my_loc: call next_inext_i: pop edx retjumper:

push ebpmov ebp,esppushamov ebx,dword [ebp+8]push ebxpush str3call printf ; Print numadd esp, 8cmp ebx,0 ; Check if num is in boundsjb out_ofcmp ebx ,1ja out_of

shl ebx,2mov ebx, dword [ebx + jt]call get_my_locadd edx, ebxjmp dword edx

label_1:push str0call printfadd esp, 4jmp end

label_2:push str1call printfadd esp, 4jmp end

out_of:push str2call printfadd esp, 4jmp end

end:popapop ebpret